diff options
-rw-r--r-- | auth-pam.c | 10 | ||||
-rw-r--r-- | session.c | 11 |
2 files changed, 17 insertions, 4 deletions
@@ -673,6 +673,7 @@ sshpam_init(Authctxt *authctxt) { const char *pam_rhost, *pam_user, *user = authctxt->user; const char **ptr_pam_user = &pam_user; + char *laddr, *conninfo; struct ssh *ssh = active_state; /* XXX */ if (sshpam_handle != NULL) { @@ -702,6 +703,15 @@ sshpam_init(Authctxt *authctxt) sshpam_handle = NULL; return (-1); } + + laddr = get_local_ipaddr(packet_get_connection_in()); + xasprintf(&conninfo, "SSH_CONNECTION=%.50s %d %.50s %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + laddr, ssh_local_port(ssh)); + pam_putenv(sshpam_handle, conninfo); + free(laddr); + free(conninfo); + #ifdef PAM_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. @@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) char **p; /* - * Don't allow SSH_AUTH_INFO variables posted to PAM to leak - * back into the environment. + * Don't allow PAM-internal env vars to leak + * back into the session environment. */ +#define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*" p = fetch_pam_child_environment(); - copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); + copy_environment_blacklist(p, &env, &envsize, + PAM_ENV_BLACKLIST); free_pam_environment(p); p = fetch_pam_environment(); - copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); + copy_environment_blacklist(p, &env, &envsize, + PAM_ENV_BLACKLIST); free_pam_environment(p); } #endif /* USE_PAM */ |